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DETAILED ACTION 
Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) wliich forms tlie basis for all 
obviousness rejections set fortli in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1. Claims 1-3, 5 and 26 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over See (US 2003/0021283) in view of Curie (US 6,871 ,232). 

Regarding claim 1, See describes a distributed network management system of 

controllino usage of network resources on a communication network ^abstract. 

individual network device each distributively performing rules/policy management), 

comprising: 

(a) creating one or more packet rules (policy rules) for analyzing packets 
received at one or more devices of the communications network, each rule including a 
condition and action to be taken if a packet received at a device satisfies the condition 
(fig. 4 and paragraph 35); 

(b) storing the one or more packet rules (paragraph 35, policy rules stored in 
repository table); 

(c) creating one or more service abstractions (policy groups), each service 
abstraction representing a [named] set of one or more of the packet rules (paragraph 
35, "According to one embodiment, the policy rules are organized into policy groups 
based on a rule type 52"; 
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(d) storing the one or more service abstractions (paragraph 35, policy groups 
stored in repository table); 

(e) associating one or more of the service abstractions with a computer host of 
the communications network (paragraph 27, where network devices may be computer 
hosts, and paragraph 30, "According to one embodiment, the policies relevant to a 
particular network device 24, 26, 28 are selected based on a role assigned to the 
device" and paragraph 35, "A rule type may organize policies into role policies"). 

See fails to describe: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user. 
Curie describes: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user (abstract, fig. 1 1 A, col. 1 1 , 
lines 50-52 & col. 17, lines 16-18, user authentication, plus col. 21, lines 50-65, 
associating/grouping common policy (abstraction) with the user). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to describe an authenticated user is used for controlling network 
usage and is associated with an service abstraction as described in Curie for the 
network usage control of See. 

The motivation for combining the teachings is that it enables the resource 
provisioning of plurality of organizations (with different users) using a single, centralized 
logical server (Curie, col. 3, lines 41-57). 
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Regarding claim 2, See describes all limitations set forth in claim 1. See further 
describes: 

(f) configuring a network device of the communications network with one or more 
packet rules according to at least one of the service abstractions (policy groups) 
(paragraph 26, "The policy repository 22 stores a plurality of policy rules that may be 
used by the network devices 24, 26, 28 to control different network elements" and 
paragraph 38, "The action 58 may be identifying a policy group based on a device 
attribute..") 

Regarding claim 3, See describes all limitations set forth in claim 2. See further 
describes: 

configuring a port module of a switching device of the communications network 
with one or more packet rules according to at least one of the service abstractions 
(paragraph 22, "According to one embodiment, the network policies are used to 
disable network ports based on predetermined conditions,") 

Regarding claim 5, See describes all limitations set forth in claim 1. See further 
describes: 

(C) distributing the one or more service abstractions to one or more network 
devices residing on the communications network (paragraph 30, "According to one 
embodiment, the policies relevant to a particular network device 24. 26, 28 are selected 
based on a role assigned to the device" and paragraph 35. "A rule type may organize 
policies into role policies"). 
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Regarding claim 26. See describes a system of controlling usage of network 
resources on a communication network (abstract individual network device each 
distributively performing rules/policy management), comprising: 

(a) creating one or more packet rules (policy rules) for analyzing packets 
received at one or more devices of the communications network, each rule including a 
condition and action to be taken if a packet received at a device satisfies the condition 
(fig. 4 and paragraph 35); 

(b) storing the one or more packet rules (paragraph 35, policy rules stored in 
repository table); 

(c) creating one or more service abstractions (policy groups), each service 
abstraction representing a named set of one or more of the packet rules (paragraph 35. 
"According to one embodiment, the policy rules are organized into policy groups based 
on a rule type 52". 

(d) storing the one or more service abstractions (paragraph 35, policy groups 
stored in repository table); 

See lacks describing that a computer progriam product to perform the above- 
mention process, comprising: 

a computer readable medium and computer readable signals stored on the 
computer readable medium that define instructions that, as a result of being executed 
by a computer, instruct the computer to perform the process. 

The examiner takes official notice that the system of See may be implemented 
using a computer comprising a readable medium and a program with instructions which 
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executes the process. The motivation being that such implementation using a [generic] 
computer may be more economical and faster to develop than via a customized 
hardware system. 

See fails to describe: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user. 
Curie describes: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user (abstract, fig. 1 1 A, col. 1 1 , 
lines 50-52 & col. 17, lines 16-18, user authentication, plus col. 21, lines 50-65, 
associating/grouping common policy (abstraction) with the user). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to describe an authenticated user is used for controlling network 
usage and is associated with an service abstraction as described in Curie for the 
network usage control of See. 

The motivation for combining the teachings is that it enables the resource 
provisioning of plurality of organizations (with different users) using a single, centralized 
logical server (Curie, col. 3, lines 41-57). 

2. Claim 7-9, and 1 1 , 27-29 and 31 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over See in view of Azarmi (5,905,715), and further in view of Curie. 
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Regarding claim 7, See and Curie describe all limitations set forth in claim 1 , 
where the user is an authenticated user (Curie, col. 17, lines 16-18). 
See and Curie combined lack what Azarmi describes: 

(f) creating one or more role abstractions (feature-describing data set), each role 
abstraction representing a role of a user with respect to the communications network 
(manageable aspect of the communications network), and each role abstraction 
including a set of one more service abstractions (management rule profiles) (col. 2, lines 
42-51, & fig. 20 where such control/provisioning is for [associated with] individual users). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify (another) role abstraction layer to group the (existing) 
service abstraction layer. The motivation being that "It defines a stmctural architecture 
within which business processes, and therefore management systems required to 
provide services on a network", Azarmi, col. 2, lines 10-12). 

Regarding claim 8, See, Curie and Azarmi combined describe all limitations set 
forth in claim 7. See, Curie and Azarmi further describe: 

(g) configuring a network device of the communications network with one or more 
packet rules according to one of the role abstractions (See, paragraph 26, "The policy 
repository 22 stores a plurality of policy rules that may be used by the network devices 
24, 26, 28 to control different network elements" and See, paragraph 38, "The action 58 
may be identifying a policy group based on a device attribute.." \N\)ere the policy group 
[i.e. service abstraction layer] is replaced by Azarmi's feature set [i.e. role abstraction 
layer]). 
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Regarding claim 9, See, Curie and Azarmi combined describe all limitations set 
forth in claim 8. See, Curie and Azarmi further describe: 

configuring a port module of a switching device of the communications network 
with one or more packet rules according to at least one of the role abstractions (See, 
paragraph 22, "According to one embodiment, the network policies are used to .. 
disable network ports based on predetermined conditions", where the policy (group) [i.e. 
service abstraction layer] is replaced byAzarmi's feature set [i.e. role abstraction layer]). 

Regarding claim 11, See, Curie and Azarmi combined describe all limitations 
set forth in claim 7. See, Curie and Azamni further describe: 

(g) distributing the one or more role abstractions to one or more network devices 
residing on the communications networi^ (See, paragraph 30, "According to one 
embodiment, the policies relevant to a particular network device 24, 26, 28 are selected 
based on a role assigned to the device" and See, paragraph 35, "A rule type may 
organize policies into role policies", where the role (policy) [i.e. service abstraction layer] 
is replaced by Azarmi's feature set [i.e. role abstraction layer]). 

Regarding claims 27, See describes a method of controlling usage of networi< 
resources on a communication network (abstract, individual network device each 
distributive^ performing rules/policy management), comprising: 

(a) defining one or more packet rules (policy rules) for analyzing packets 
received at one or more devices of the communication network, each rule including a 
condition and action to be taken if a packet received at a device satisfies the condition 
(fig. 4 and paragraph 35); 
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(b) providing the one or more packet rules (paragraph 35, pacl<et rules in 
repository table ready for use); 

See lacks what Azarmi describes: 

(c) defining one or more role abstractions (feature-describing data set), each role 
abstraction representing a role of a user with respect to the communications network 
(manageable aspect of the communications network), and each role abstraction 
including a set of one more packet rule (management rule profiles containing 
management rules) (col. 2, lines 42-51 , & fig. 20 where such control/provisioning is for 
[associated with] individual users). 

(d) providing the one or more role abstractions (col. 2, lines 30-34, provided for 
monitoring and controlling the service provisions). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify the role abstraction layer to group the packet rules 
(layer). The motivation being that "It defines a structural architecture within which 
business processes, and therefore management systems required to provide services 
on a networic", Azarmi, col. 2, lines 10-12. 

See and Azarmi combined fails to describe: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user. 
Curie describes: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user (abstract, fig. 1 1 A, col. 1 1 , 
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lines 50-52 & col. 17, lines 16-18, user authentication, plus col. 21, lines 50-65, 
associating/grouping common policy (abstraction) with the user). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to describe an authenticated user is used for controlling network 
usage and is associated with an service abstraction as described in Curie for the 
network usage control of See and Azarmi. 

The motivation for combining the teachings is that it enables the resource 
provisioning of plurality of organizations (with different users) using a single, centralized 
logical server (Curie, col. 3, lines 41-57). 

Regarding claim 28, See and Azarmi combined describes all limitations set forth 
in claim 27. See and Azarmi further describe: 

(e) configuring a network device of the communications network with one or more 
packet rules according to one of the role abstractions (See, paragraph 26, "The policy 
repository 22 stores a plurality of policy rules that may be used by the network devices 
24, 26, 28 to control different network elements" and See, paragraph 38, "The action 58 
may be identifying a policy group based on a device attribute.." where the policy group 
[i.e. sen/ice abstraction layer] is replaced by Azarmi' s feature set [i.e. role abstraction 
layer]). 

Regarding claim 29, See and Azarmi combined describe all limitations set forth 
in claim 28. See and Azarmi further describe step (C) of: 

configuring a port module of a switching device of the communications network 
with one or more packet rules according to at least one of the role abstractions (See, 
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paragraph 22, "According to one embodiment, the networl< policies are used to .. 
disable networl< ports based on predetermined conditions", where the policy (group) [i.e. 
service abstraction layer] is replaced byAzarmi's feature set [i.e. role abstraction layer]). 

Regarding claim 31, See and Azarmi combined describe all limitations set forth 
in claim 27. See and Azarmi further describe step (C) of: 

(e) distributing the one or more role abstractions to one or more network devices 
residing on the communications network (See, paragraph 30, "According to one 
embodiment, the policies relevant to a particular network device 24, 26, 28 are selected 
based on a role assigned to the device" and See, paragraph 35, "A rule type may 
organize policies into role policies", where the role (policy) [i.e. service abstraction layer] 
is replaced by Azarmi's feature set [i.e. role abstraction layer]). 

3. Claims 13-15 and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over See in view of Nessett and Curie. 

Regarding claim 13, See describes a system for controlling usage of network 
resources on a communications network (abstract, individual network device each 
distributively performing rules/policy management), the system comprising: 

creating one or more packet rules for analyzing packets received at one or more 
devices of the communications network, each rule including a condition and action to be 
taken if a packet received at a device satisfies the condition; and 

creating one or more service abstractions, each service abstraction representing 
a named set of one or more of the packet rules. 
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[assigning logic to] associate one or more of tlie service abstractions witli a user 
(computer host) of the communications network (paragraph 27, where network devices 
may be computer hosts, which is a user of the communication network, and paragraph 
30, "According to one embodiment, the policies relevant to a particular network device 
24, 26, 28 are selected based on a role assigned to the device" and paragraph 35, "A 
rule type may organize policies into role policies"). 

storage means for storing one or more packet rules (paragraph 35, policy rules 
stored in repository table); 

See lacks what Nessett describes: 

a rule editing module [to create pack rules] (fig. 1 , security policy management 
back-end #32) and a service editing module [means to create service abstractions] (fig. 
1 , security policy language interpreter #34) 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify respective editing modules to be used for creating the 
packet rules and service abstractions as specified in See. The motivation for using 
separate modules in performing layered rules & service abstraction functionality is "As 
the partitioning becomes finer grained, access to resources outside of the firewall 
partition experiences increasing degraded performance. Another approach to this 
problem is to distribute firewall functionality down into lower layers of the protocol 
hierarchy" (Nessett, col. 2, lines 51-56). 

See and Nessett combined fail to describe: 
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controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user. 
Curie describes: 

controlling usage based on the identity of an authenticated user, and associating one or 
more service abstraction with an authenticated user (abstract, fig. 11 A, col. 11, lines 50- 
52 & col. 17, lines 16-18, user authentication, plus col. 21, lines 50-65, 
associating/grouping common policy (abstraction) with the user). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to describe an authenticated user is used for controlling network 
usage and is associated with an service abstraction as described in Curie for the 
network usage control of See and Nessett. 

The motivation for combining the teachings is that it enables the resource 
provisioning of plurality of organizations (with different users) using a single, centralized 
logical server (Curie, col. 3, lines 41-57). 

Regarding clainfi 14, See, Nessett and Curie combined describe all limitations 
set forth in claim 13. See further describes: 

[logic to] configure a network device of the communications network with one or 
more packet rules according to at least one of the service abstractions (policy groups) 
(paragraph 26, "The policy repository 22 stores a plurality of policy rules that may be 
used by the network devices 24. 26, 28 to control different network elements" and 
paragraph 38, "The action 58 may be identifying a policy group based on a device 
attribute..") 
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Regarding claim 15, See, Nessett and Curie combined describe all limitations 
set forth in claim 14. See further describes: 

[port configuration logic] to configure a port module of a switching device with 
one or more packet rules according to at least one of the service abstractions 
(paragraph 22, "According to one embodiment, the network policies are used to .. 
disable network ports based on predetermined conditions,") 

Regarding claim 17, See, Nessett and Curie combined describe all limitations 
set forth in claim 13. See further describes: 

a distribution module (fig. 2, policy repository #20) to distribute the one or more 
service abstractions to one or more network devices residing on the communications 
network (paragraph 30, "According to one embodiment, the policies relevant to a 
particular network device 24, 26, 28 are selected based on a role. assigned to the 
device" and paragraph 35, "A rule type may organize policies into role policies"). 

4. Claims 19-21 and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over See in view of Nessett and Curie, and further in view of Azarmi. 

Regarding claim 19, See, Nessett and Curie combined describe all limitations 
set forth in claim 13, where the user is an authenticated user (Curie, col. 17, lines 16- 
18). 

See, Nessett and Curie combined lack what Azarmi describes: 
A role editing module (Nessett, fig. 1 , front end #31) to create one or more role 
abstractions (feature-describing data set), each role abstraction representing a role of a 
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user with respect to the communications networl< (manageable aspect of the 
communications networl<), and each-role abstraction including a set of one more service 
abstractions (management rule profiles) (col. 2, lines 42-51). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify (another) role abstraction layer to group the (existing) 
service abstraction layer. The motivation being that "It defines a structural architecture 
within which business processes, and therefore management systems required to 
provide services on a network", Azarmi, col. 2, lines 10-12. 

Regarding claim 20, See, Nessett, Curie and Azarmi combined describe all 
limitations set forth in claim 19. See, Nessett, Curie and Azarmi further describe: 

[logic to] configure a network device with one or more packet rules according to 
one of the role abstractions (See, paragraph 26, "The policy repository 22 stores a 
plurality of policy rules that may be used by the network devices 24, 26, 28 to control 
different network elements" and See, paragraph 38, "The action 58 may be identifying a 
policy group based on a device attribute.." where the policy group [i,e, serv/ce 
abstraction layer] is replaced by Azarmi's feature set [i.e. role abstraction layer]). 

Regarding claim 21, See, Nessett, Curie and Azarmi combined describe all 
limitations set forth in claim 20. See, Nessett, Curie and Azarmi further describe: 

[port configuration logic to] configure a port module of a switching device with 
one or more packet rules according to one of the role abstractions (See, paragraph 22, 
"According to one embodiment, the network policies are used to .. disable network ports 
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based on predetermined conditions", where the policy (group) [i.e. service abstraction 
layer] is replaced by Azarmi's feature set [i.e. role abstraction layer]). 

Regarding claim 23, See, Nessett, Curie and Azarmi combined describe all 
limitations set forth in claim 19. See, Nessett and Azarmi further describe: 

a distribution module (See, fig. 2, policy repository #20) to distribute the one or 
more role abstractions to one or more network devices residing on the communications 
network (See, paragraph 30, "According to one embodiment, the policies relevant to a 
particular network device 24, 26, 28 are selected based on a role assigned to the 
device" and See, paragraph 35, "A rule type may organize policies into role policies", 
where the role (policy) [i.e. sen/ice abstraction layer] is replaced by Azarmi's feature set 
[i.e. role abstraction layer]). 

5. Claims 33-35, 37 and 40 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over See in view of Azarmi, Nessett and Curie. 

Regarding claims 33 and 40, See describes a system of controlling usage of 
network resources on a communication network (abstract, individual network device 
each distributively performing rules/policy management), [official notice taken that the 
system may be implemented using a computer comprising a readable medium and a 
program with instructions which executes the process], comprising: 

creating one or more packet rules (policy rules) for analyzing packets received at 
one or more devices of the communication network, each rule including a condition and 
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action to be taken if a packet received at a device satisfies the condition (fig. 4 and 
paragraph 35); 

storage means for storing one or more created packet rules (paragraph 53, 
repository table storing the policy (packet) rules); 
See lacks what Azarmi describes: 

creating one or more role abstractions (feature-describing data set), each role 
abstraction representing a role of a user with respect to the communications network 
(manageable aspect of the communications network), and each role abstraction 
Including a set of one more packet rule (management rule profiles containing 
management rules) (col. 2, lines 42-51, & fig. 20 where such control/provisioning is for 
[associated with] individual users). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify the role abstraction layer to group the packet rules 
(layer). The motivation being that "It defines a structural architecture within which 
business processes, and therefore management systems required to provide services 
on a network", Azamii, col. 2, lines 10-12. 

See and Azarmi combined lack what Nessett describes: 

a rule editing module [to create pack rules] (fig. 1 , security policy management 
back-end #32) and a role editing module (Nessett, fig. 1, front end #31) [means to 
create role abstractions]. 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify respective editing modules to be used for creating the 
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packet rules and service abstractions as specified in See and Azarmi. The motivation 
for using separate modules in performing layered rules & service abstraction 
functionality is "As the partitioning becomes finer grained, access to resources outside 
of the firewall partition experiences increasing degraded performance. Another 
approach to this problem is to distribute firewall functionality down into lower layers of 
the protocol hierarchy" (Nessett, col. 2, lines 51-56). 

See, Azarmi and Nessett combined fails to describe: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user. 
Curie describes: 

controlling usage based on the identity of an authenticated user, and associating 
one or more service abstraction with an authenticated user (abstract, fig. 1 1 A, col. 1 1 , 
lines 50-52 & col. 17, lines 16-18, user authentication, plus col. 21, lines 50-65, 
associating/grouping common policy (abstraction) with the user). 

It would have been obvious to one with ordinary skill jn the art at the time of 
invention by applicant to describe an authenticated user is used for controlling network 
usage and is associated with an service abstraction as described in Curie for the 
network usage control of See, Azarmi and Nessett. 

The motivation for combining the teachings is that it enables the resource 
provisioning of plurality of organizations (with different users) using a single, centralized 
logical server (Curie, col. 3, lines 41-57). 
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Regarding claim 34, See, Nessett and Azarmi combined describe all limitations 
set forth in claim 33. See, Nessett and Azamni further describe: 

[logic to] configure a network device of the communications network with one or 
more packet rules according to one of the role abstractions (See, paragraph 26, "The 
policy repository 22 stores a plurality of policy rules that may be used by the network 
devices 24, 26, 28 to control different network elements" and See, paragraph 38, "The 
action 58 may be identifying a policy group based on a device attribute.." where the 
policy group [i.e. sen/ice abstraction layer] is replaced by Azarmi' s feature set [i.e. role 
abstraction layer]). 

Regarding claim 35, See, Nessett and Azarmi combined describe all limitations 
set forth in claim 34. See, Nessett and Azarmi further describe step (C) of: 

[port configuration logic] to configure a port module of a switching device of the 
communications network with one or more packet rules according to at least one of the 
role abstractions (See, paragraph 22, "According to one embodiment, the network 
policies are used to .. disable network ports based on predetermined conditions", where 
the policy (group) [i.e. service abstraction layer] is replaced byAzarmi's feature set [i.e. 
role abstraction layer]). 

Regarding claim 37, See, Nessett and Azarmi combined describe all limitations 
set forth in claim 33. See, Nessett and Azarmi further describe step (C) of; 

a distribution module (See, fig. 2, #20) to distribute one or more role abstractions 
to one or more network devices residing on the communications network (See, 
paragraph 30, "According to one embodiment, the policies relevant to a particular 
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network device 24, 26, 28 are selected based on a role assigned to the device" and 
See, paragraph 35, "A rule type may organize policies into role policies", where the role 
(policy) [i.e. service abstraction layer] is replaced by Azarmi's feature set [i.e. role 
abstraction layer]). 



Response to Arguments 
6. Applicant's arguments with respect to claims 1-3, 5. 7-9, 11, 13-15, 17, 19-21, 23, 
26-29, 31 , 33-35, 37 and 40 have been considered but are moot in view of the new 
Applicant's arguments filed August 1 3, 2007 have been fully considered but they are not 
persuasive. 

On p. 10 paragraphs 2-4, the applicant argues that Curie cannot be used to 
teach controlling using base on the identity of an authenticated user because the 
present invention in which using of the communication s network itself is controlled at 
the device level versus at a central server. The examiner respectfully disagrees. 

The examiner understands that the main reference of See is already controlling 
the network management at each network device (abstract & paragraph 27). One of 
ordinary skill in the art understands that both See and Curie are addressing network 
policy authentication and can extend the "individual user authentication" described in 
the centralized management embodiment of Curie to the distributed management 
embodiment of See which authenticates individual computer hosts. 

On p. 1 1 paragraph 1 , the applicant argues, "Currie does not disclose, teach, or 
suggest associating one or more service abstractions with an authenticated user." 



Application/Control Number: 1 0/071 ,228 Page 21 

Art Unit: 2616 

Similar to above argument , the examiner asserts that the applicant is using a piecemeal 
analysis . The examiner understand that the main See reference describes one or more 
service abstractions (policy groups) representing a set of packet rules containing a 
condition and an action (paragraph 35 & fig. 4) for a computer host. One or ordinary 
skill in the art can readily extend the "individual authenticated user" of Curie in replacing 
"computer host" described by See. 

ON p. 1 1 paragraph 2, the applicant argues that there is an invalid motivation to 
combine See and Curie. The examiner respectfully disagrees. 

Again, the examiner noted that both references describe network 
authentication/policy management, thus combinable (for the concept of replacing 
"computer host" level authentication with "individual user" level authentication). A 
proper motivation statement has been provided in the Office Actions. 

The examiner noted that the appended claim feature "to control usage of network 
resources on the commuhication network" to each of the independent claim is already 
stated as part of each independent claim's preamble and has already been considered. 
Thus, the examiner has amended the Independent claims' preambles In the Officie 
Action to clarify that the reference of See also controls the usage of network resources 
on the communication network (see abstract). 

The rest of the arguments on pp. 11-15 are directly or indirectly based on the 
above arguments, or have been addressed in previous Office Actions' responses. 
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Conclusion 

7. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply Is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Warner Wong whose telephone number is 571-272- 
8197. The examiner can normally be reached on 6:30AM - 3:00PM, M-F. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kwang Yao can be reached on 571-272-3182. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding tiie status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR.. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-91 99 (IN USA OR CANADA) or 571-272-1 000. 

Warner Wong 

Examiner (/\J 

Art Unit 2616 

KWANQBINYAO 
SUPERVISORY PATSNT EXAMINER 




